You are on page 1of 20

Supplemental Guidance:

Optimizing public Sector


Audit Activities

Table of Contents
Executive Summary............................................................................. 2
Introduction......................................................................................... 2
Advantages of Centralizing the Internal Audit Function...................... 4
Disadvantages of Centralizing the Internal Audit Function................. 5
General Observations.......................................................................... 7
The Australian Case Study Centralization........................................ 8
The United States Case Study Partial Decentralization.................. 11
Conclusion........................................................................................ 15
Authors and Reviewers...................................................................... 16

Supplemental Guidance: Optimizing Public Sector Audit Activities

Supplemental Guidance:
Optimizing Public Sector
Audit Activities

July 2012

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities

Executive Summary
Governments across the globe are considering or are in the process of restructuring their internal audit activities. There are several reasons; these include, among others,
political, fiscal, or organizational considerations. Generally, economy and efficiency are
key benefits identified for centralization, and effectiveness is the key benefit identified
for decentralization. The bottom line for each organization is to look at its unique situation and decide what is best.
This guidance describes the advantages and disadvantages of restructuring. It is based
on two case studies, described within this guidance.
When considering restructuring public sector audit functions, some general observations can be made:
zzReporting

lines of the Chief Audit Executive (CAE) should be very clear. This is
particularly important to preserve boundaries and ensure confidentiality. There is
the potential that the CAE could have conflicting pressures regarding reporting
organizational risks.

zzCare

should be taken that the audit organization does not become, or is not perceived to be, an external auditor. It is essential that it retain the role of internal
audit.

zzHaving

multiple audit steering committees brings its own challenges; the resolution depends on the particular model used.

Introduction
This guidance examines the potential advantages and disadvantages of restructuring
public sector audit activities. The analysis applies to government agencies that have
their own internal audit units that are decentralized and are considering their amalgamation, as well as those that have a centralized internal audit organization and are considering partial or complete decentralization.
This guidance does not consider the relative benefits of outsourcing the internal audit
responsibilities, even though some of the arguments are used in discussions to support
either outsourcing or in-sourcing depending on ones focus.

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities

This guidance presents two scenarios:


zzA

case where separate organizations, departments, or agencies are being combined under one portfolio and, as a result, the audit activities servicing the separate organizations are being consolidated into one centralized unit.

zzA

case where an organization had one centralized audit group and has, based on
evaluated need, split the activity into separate units to foster better accountability
and transparency.

Any organization considering a change from its current organizational structure with
respect to management of the internal audit activity should consider the advantages and
disadvantages of each option and determine what is best suited for the organizations
current stage of maturity.
As a general rule, any organization that does not have robust administrative processes
and sound controls in place among its separate audit units may best be managed
centrally. Alternatively, an organization that is mature in its management and is seeking
efficiencies, standardization, and consistency across its portfolio may also benefit from
centralization.1
Conversely, an organization that services different unique customer needs, is focused on
specific audits, and is confident of its overall administration and management of audit
resources may best be managed in a decentralized manner.
This guidance assumes that the units being consolidated are closely located geographically and that travel, that affects time and budget, and communication costs are not
factors being considered.
This guidance includes two case studies.
zzThe

first, demonstrating the advantages of consolidation, examines the recent


integration of the audit responsibilities under one general manager for the Commonwealth of Australias Human Services portfolio.

zzThe

second shows the benefits of partially decentralizing the internal audit and
advisory services of the City of Austin, Texas (United States). Its goal was to
create a control ownership environment with the citys operational management
leading to better accountability and transparency in Austins local government.

1 To determine the maturity level, see the book titled Internal Audit Capability Model (IA-CM) for the
Public Sector, copyright 2009, The Institute of Internal Auditors Research Foundation (IIARF).

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities

Advantages of Centralizing the


Internal Audit Function
Reasons for centralizing the internal audit activity are not dissimilar to the general arguments for consolidating or bringing together like organizational units. Similar arguments
can be presented for integrating (or not integrating) the finance or human resource
activities.
Supporting arguments include:
zzStreamlining

corporate activities for greater cost efficiency.

{{Administrative

overhead generally can be reduced by consolidating activities.


One example is the savings that can be achieved by bringing together the
administrative units (e.g. secretariats) that service the individual boards.2

zzIntegrating

responses to central audit authorities.

{{It

is important that coordinated and consistent messages are given to supreme


audit institutions, such as the Australian National Audit Office. This would be
much more difficult to achieve for agencies that have merged without a fully
integrated audit activity.

zzProviding

consistency of service to the chief executive(s).

{{Without

a central audit activity, it is possible that a different approach would


be adopted by the separate units, resulting in different advice being given to
Public Enterprises
the chief executives.

zzRecruiting

and training across the portfolio for increased staffing consistency.


Zoneaudit organization can provide
{{With its large number ofGray
staff,oraBoundary
centralized
more training and standardized recruitment practices, drawing on volumes
and economies of scale. State Businesses and
Public Contractors
zzSharing and leveraging staff experiences across the portfolio.
{{Under

a centralized arrangement, audit staff can be rotated throughout the


organization, applying their skills and experience where needed most. Conversely, job rotations can increase exposure and experience in different areas
and types of audits.

{{While

not always practical in smaller organizations, larger units can develop


subject matter experts. These staff should undertake a wider range of audits,

2 The term board is used in this guidance as defined in the International Standards for the Professional
Practice of Internal Auditing (Standards) Glossary: A board is an organizations governing body, such as a
board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees
of a nonprofit organization, or any other designated body of the organization, including the audit committee to whom the chief audit executive may functionally report.

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities

which could prove challenging in job scheduling. Larger units also can develop
specialty audit programs.
zzFacilitating

reporting of portfolio audit activities.

{{Consistent reporting is achieved through having a centralized audit organization.

Conclusion:
zzCentralizing

internal audit enhances independence from agency management.

zzCentralizing

the board provides uniform direction and resource coordination, as


well as increased visibility and transparency.

zzGovernments

that currently lack internal audit coverage could gain added oversight as a result of consolidation.

zzHaving

only one audit plan better allocates audit resources to enterprise wide
goals and minimizes audit duplication and overlap through coordinated coverage
of risk areas by internal audit, external audit, and other oversight groups.

zzAudit

processes become more consistent and streamlined through a centralized


model, consistent risk assessment framework, and issue ratings.

zzA

larger pool of central resources provides pockets of expertise that better align
with government risk profiles (e.g., IT audit resources).

zzMore

effective end-to-end process reviews span multiple governmental units.

zzSaving

costs of internal audit software tools and training can be realized in volume purchases.

zzCentralizing

quality assurance of the whole internal audit function is a key component driving process consistency and efficiency.

Disadvantages of Centralizing
the Internal Audit Function
There are real and perceived disadvantages to integrating like activities, and they can
apply generally to any organizational units being combined. For example:
zzLoss

of ownership or power. It can be perceived that integration results in


winners and losers. This is especially the case when a larger unit is perceived
as taking over a smaller unit.
{{This

is an important perception and should be managed by constantly communicating intentions, consulting with staff, and ensuring that appointments
in the amalgamated structure are made equitably and without real or apparent
favor. If properly managed, loss of ownership or power should not be a real
threat to integration.

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities


zzLoss

of authority. Ownership by staff means they can be tasked to respond


to priorities. When staff is integrated, a different leadership has control of this
resource. It is important that the audits carried out by the centralized organization reflect largely and certainly during the early period of integration those
from the original units.

zzGeneral

resistance to change. Staff members are generally comfortable with


the status quo, and resist changes that may impact their comfort level. Change
can be seen as a threat to jobs and security, as well as present challenges that
staff may not be able to meet.

zzLoss

of agility. A smaller organization can respond more quickly and be more


focused in addressing any organizational issue. A small audit activity within an
organization can quickly adjust its program to accommodate new priorities, and
be more flexible in responding to executive requirements. This agility is diluted in
larger organizations. There is also the potential for a decrease of local coverage in
larger organizations.

zzIncreased

bureaucracy. This, in part, is the mirror image of the loss in agility.


Greater numbers of staff often result in increased administrative bureaucracy, as
well as smaller overall budgets. As the total costs of the audit activity across the
portfolio become evident, they can be a target for budget cuts.

zzHigher

workload levels. Integration inevitably results in a larger workload for


audit executives and senior managers. Generally, the increased workload is not
compensated by a commensurate increase in resources. As a general rule, the
workload increases in proportion to the number of audit activities being integrated. Centralized audit executives respond to the requirements of their executive
managers. The workload increase can be particularly heavy in attending meetings
and in increased reporting requirements.

zzIndividual

agencies or government entities can lose control over internal audit


coverage for new, emerging needs.

zzIf

not placed correctly within the organization, internal audits role and importance may diminish.

zzCentralization

often reduces the number of senior internal audit managers and


can create a loss of expertise that executive management still requires.

zzReduced

ongoing presence in local units of government may limit internal audits


advisory role. Upfront assurance and consulting is an ideal position for internal
audit.

zzMedia

risk to agencies or governments is not always confined to larger organizations and processes. Increased communication is required to foster better awareness and understanding due to less daily interaction.

zzCentral

accumulation of internal audit costs may increase budget accountability


and scrutiny.

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities

General Observations
Some general observations can be made when considering consolidating public sector
audit activities, including:
zzThe

reporting line(s) of the CAE should be very clear (i.e., who is actually in
charge). This is particularly important to preserve boundaries and ensure confidentiality. There is the potential that the CAE could have conflicting loyalties in
reporting organizational risks.
{{The

authority of the CAE to escalate issues to the chief management


executive(s) should be clearly defined.

zzCare

should be taken that the consolidated audit organization does not become,
or is not perceived to be, an external auditor rather than retaining the role of
internal audit.
{{For

this reason, it is important to retain staff in the same physical locations as


before the consolidation.

{{It

is also important that the chief of the consolidated internal audit activity
regularly attends executive forums of the integrated agencies.

zzHaving

multiple audit steering committees brings its own challenges, and resolution depends upon the particular model used. Consideration can be given to:
{{Each

retaining its existing role and responsibilities.

{{Establishing
{{Having

a supreme board with overarching authority.

a degree of common or shared membership.

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities

The Australian Case Study


Centralization
In the case of the Commonwealth of Australias Human Services portfolio, five separate public sector organizations have been brought together and their audit functions
integrated as a part of the governments Service Delivery Reform agenda, known locally
as works for you.
Each of the five agencies provides some aspect of human services.
zzThe

Department of Human Services aims to improve government, social, and


health-related services to all Australians.

zzCentrelink

delivers a range of Commonwealth services to the Australian community to assist people in becoming self-sufficient and supports those in need.

zzMedicare

Australia assists in improving health outcomes in Australia.

zzCommonwealth

Rehabilitation Service is a leading provider of disability


management and assessment services to people with a disability, injury, or health
conditions.

zzChild

Support Agency supports separated parents to transfer payments for the


benefit of their children.

Planning
The planning for the amalgamation separated the implementation into three separate
phases:
Phase 1: Amalgamation. This phase took effect quickly and changed the
reporting lines of audit staff in the five agencies by requiring that all
audit staff report to the chief audit executive, who is referred to as the
Portfolio General Manager, Audit.
Phase 2: Consolidation. This phase comprised a six-month program commencing from the date that the reporting lines were changed. It considered and proposed new roles for the separate audit committees and
made other short-term administrative changes, including:
zzIntegrating

the separate audit manuals.

zzStandardizing
zzUniting

filing and records management.

zzRationalizing
zzOrganizing
zzArranging

the different audit protocols.

staff training.

computer access across the amalgamated units.

access passes to buildings.

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities

Phase 3: Integration. This phase included an 18-month period awaiting the


passing of legislation by the federal parliament to make a fully integrated audit organization legally possible.
Details of these phases were submitted by the general manager and subsequently were
approved by the chief executives of all the agencies being amalgamated.

Principles Applied to the Consolidation


A set of principles was applied when developing the amalgamated structure.
zzThe

integrated structure would retain senior positions that would, as a prime responsibility, manage the audit activities for each of their former agencies. Agency
heads could call on these positions for advice and to conduct work on behalf of
their agencies.
{{This

eliminated any perception that the bigger audit organization was no


longer responsive to individual agency executives or that their requirements
would not be given appropriate attention or priority.

zzThere

would be only one audit executive responsible for delivering the overall
portfolio audit program.
{{While,

as a matter of practicality, the individual audit programs were retained


and implemented generally by the same management and staff prior to the
amalgamation the audit executive had overall responsibility for the programs delivery and was accountable to the individual agencys chief executive.

zzAdministrative

functions would be fully integrated.

{{This

would not only achieve savings through rationalization and increased effectiveness, but also was an important integrating activity so that the previous
administrative activities could be blended into one.

zzStaff

continued to carry out their audits prior to consolidation, and would continue to be located in their existing premises.
{{This

allowed staff to maintain their contacts within their former agencies and
minimized disruption while the separate phases were being implemented.

{{A

process was then launched to relocate staff as necessary, after consultation,


with the more senior positions being the first to be relocated.

Experience to Date
The experience has been mostly beneficial and positive from every perspective. There
have been some lessons learned from the Australian experience, including:
zzWorkload

increased rapidly for everyone involved especially the senior audit

managers.
www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities


{{Senior

audit managers workload increased as a result of the need to attend


meetings in the former agencies to update their executives on audit matters.
Reporting requirements increased in proportion to the number of agencies
being consolidated.

zzNecessity

to engage management executives.

{{It

is necessary to engage the top executives of the agencies that have been
amalgamated. This diminishes concerns and assists in building confidence in
the amalgamated organization.

zzIt

is important that staff be consulted about all the changes and management
communicate proposed changes.
{{In

the absence of frequent communication and consultation, rumors are likely


to circulate. Staff are mostly concerned with:

yy Whether

their salary will change.


physical location.
yy Whether career prospects will be enhanced.
zzIt is best for the consolidation (as well as decentralization) to be implemented in
defined stages.
yy Their

{{Big

bangs should be avoided. A phased implementation causes the least


disruption. For example, the audit programs are maintained, clear and detailed
instructions can be developed and promulgated, and staff as well as the
portfolio become familiar and at ease with the changes.

zzIt

is necessary to clarify leadership and financial delegations up front, given the


changed reporting lines and authority for spending funds.
{{The

executives of the organizations being consolidated will invariably have


different levels and types of delegations both for staffing and budget matters. It is important that the delegations and authority of the executives of the
consolidated audit unit be determined as soon as possible.

zzConsider

and define the roles of audit steering committees.

{{This

is an important aspect given, in some countries, the legislative requirement of these committees and the responsibility of the agency heads for their
respective audit programs.

zzAssurance

and risk mitigation.

{{It

is necessary to address project assurance and ensure that any risks associated with the consolidation are known and addressed as well as that the
consolidation is well-managed.

10

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities

The United States Case Study


Partial Decentralization
The city of Austin, Texas, chartered in 1839, has a council-manager form of government
with a mayor and six council members. The mayor and council members are elected at
large for three-year staggered terms with a maximum of two consecutive terms. The city
manager, appointed by the city council, is responsible for managing all city employees
and the administration of city affairs with the exception of the city auditor, city clerk,
municipal court, and municipal court judge.
The city provides a full range of services, including general government, public safety,
transportation, planning and sustainability, public health, public recreation and culture,
urban growth management, electric, water, wastewater, airport, convention, and other
enterprise services.

Government Organization
City government is organized into six separate operating groups that comprise multiple
departments within each group (as shown below). Each group is headed by an assistant
city manager, including the city managers chief of staff.
zzFinancial
{{Chief

and Administrative Services

Financial Officer

{{Treasury
{{Budget
{{Purchasing
{{Controller

of contract land management

{{Convention

center

{{Communications
{{Human

resources/labor relations

zzDevelopment
{{Economic
{{Planning

Services

Growth and Redevelopment Services Office

and Development Review

{{Sustainability
{{Watershed
{{Real

and technology management

Office

protection

estate services

{{Aviation

www.globaliia.org/standards-guidance

11

Supplemental Guidance: Optimizing Public Sector Audit Activities


zzInfrastructure
{{Austin

Services

Water Utility

{{Capital

Planning Office

{{Public

Works

{{Austin

Resource Recovery

{{Transportation
zzCommunity

Services

{{Animal

Services

{{Health

and Human Services

{{Library
{{Neighborhood
{{Parks
zzPublic

Housing and Community Development

and Recreation

Safety

{{Code

compliance

{{Community
{{Emergency
{{Medical

court

medical services

director

{{Fire
{{Homeland

security

{{Police
zzChief

of Staff

{{Building
{{Public

services

information

{{Small

and minority business resources

{{Fleet

services

{{Governmental

relations

There are also direct reports to the city manager, and to the city council (as mentioned
above):
zzDirect

{{Austin

Energy

{{Police

monitor

{{Law

12

Reports to City Manager

department

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities


zzDirect

Reports to City Council

{{City

auditor

{{City

clerk

{{Municipal

court/judges

Decentralized Audit and Assurance


The city auditor also is appointed by the city council for a term of five years and is
required by ordinance to follow Generally Accepted Governmental Auditing Standards
(GAGAS). In addition to the office of the city auditor (OCA), the city also has several
audit and assurance entities appointed by department and enterprise heads. OCA and
the other audit and assurance entities also conform with the Standards.
City of Austin Audit and Assurance Entities

Department

Title

Austin Energy

Internal Auditor
Internal Auditor Senior
Regulatory Auditor Senior
Audit Manager

Austin Water

Manager, Regulatory Audit


Regulatory Auditor Senior

Aviation

Manager, Airport Bus Enterprise


Performance Consultant
Business Process Consultant Senior

Convention Center

Department Quality Analyst

Construction and Land Management

Department Quality Analyst

Financial Services (TARA)

Department Quality Analyst

Health and Human Services

Department Quality Analyst

Human Resources

Department Quality Analyst

Parks and Recreation

Department Quality Analyst

Solid Waste Services

Department Quality Analyst

www.globaliia.org/standards-guidance

13

Supplemental Guidance: Optimizing Public Sector Audit Activities

Planning
The decentralization of auditing is a dynamic process. The approach comprises five steps.
Step 1:

Evaluation of need. The existing city organization was and is


evaluated by the OCA and city management to determine how to best
organize an effective audit and assurance environment. This includes
evaluating for risks that would lend themselves to needing an audit/
review to address specialized audit topics. Examples considered were
contract audits of city vendors in specialty areas (e.g., utility, aviation,
vendor revenue), and other audits that can be more effectively and
efficiently conducted by specialty auditors.

Step 2:

Validation and creation of special audit and review groups.


In addition to the existing internal audit activities at the two utilities,
other assurance service needs were identified in other departments.

Step 3:

Reevaluating the other assurance activities. A current effort is


underway to determine what other activities should be converted into
internal audit activities.

Step 4: Creation of an audit and assurance committee. This committee assists in facilitating effective collaboration to avoid duplication
of efforts as well as provide pathways where each unit would be able
to rely on the work of the other audit activities and where centralized
efficiencies can be realized. This includes, but is not limited to, coordinated development of professional standards policies, training, and
computerized audit tools.
Step 5: Creation of a quality assurance coordinator. A quality assurance
activity was created in the OCA to provide ongoing reviews of the various auditing and assurance activities in the city. The results of those
reviews will be presented to the individual boards, or to the department head, as appropriate.

Principles Applied to the Decentralization


A set of principles were applied when developing the decentralized structure.
zzThe

overall responsibility for governmental auditing for the city and city management remains with the city auditor.

14

www.globaliia.org/standards-guidance

Supplemental Guidance: Optimizing Public Sector Audit Activities


zzInternal

audit activities can be considered for those departments or enterprises


that have specialty, or specific, needs that are best addressed by specialty auditors, such as regulatory, revenue, contract, and other auditors.

zzAll

departments desiring to create an audit and assurance office and use the title
of internal auditor or auditor should be required to follow the Standards as well as
standards mandated by laws, regulations, ordinances, etc. Human resources and
city management coordinate with the OCA when proposing the creation of an
auditing activity and the use of any title including the word auditor. All decentralized offices are subject to audit by the city auditor to ensure that audit quality and
standards are adhered to in accordance with the Standards and all other applicable standards.

Even in a decentralized environment, there are benefits to having a coordinating organization where all activities are represented.

Experience to Date
The experience has been beneficial and resulted in other actions and lessons learned:
zzOther

audit offices are being considered.

zzThere

is an increasing awareness and acceptance of the control environment and


of managements responsibilities.

zzA

dotted line or other closely coordinated structure is ideal. Clear goals, responsibilities and roles, and planning should be defined.

zzPlanning

should be coordinated to avoid duplication and gaps in audit coverage.

zzEmbedded

auditors are more effective and efficient in auditing external vendors


because of their proximity to operations.

zzThere

is a need to evaluate the reporting structure of the various audit activities


to ensure adherence to the Standards, and other applicable standards.

Responsibilities for audit committees or the top of the auditors reporting structure
should be well-defined.

Conclusion
There are several reasons for restructuring. For example, there are often political, fiscal,
and organizational considerations. Generally, economy and efficiency are key benefits
identified of centralization, and effectiveness is the key benefit identified of decentralization. But it is not always that clear.
Politics, available skilled resources, a means to gain control of dysfunctional organizations, response to scandal or citizen discontent, etc., can all impact the appropriate
www.globaliia.org/standards-guidance

15

Supplemental Guidance: Optimizing Public Sector Audit Activities

structure of an audit function. At times the benefits can actually switch back (i.e., decentralization might be more economical). Or, a rapidly expanding organization cannot
maintain itself using a centralized basis. Or, at times anexpanding organization should
centralize to gain control and impose a uniform culture.
The bottom line is that each organization has to look at its unique situation and decide
what organizational structure is best.

Authors and Reviewers


Authors:
Drs. Tea Enting-Beijering, RA (Netherlands)
Joe Bell, CIA, CGAP (U.S.)
Darren Box, CPA (Australia)
Daniela Danescu, CIA, CGAP (Romania)
Joyce Drummond-Hill, CBE, CIA, CCSA, CGAP (UK and Ireland)
Kenneth J. Mory, CIA, CPA, CISA (U.S.)
Kathryn Schwerdtfeger, CPA (U.S.)

Reviewers:
Greg Hollyman, CGAP, CFSA, CFE, CISA, CCSA, CIA (Australia)

16

www.globaliia.org/standards-guidance

About The Institute


Established in 1941, The Institute of Internal Auditors (IIA) is an
international professional association with global headquarters in
Altamonte Springs, Fla., USA. The IIA is the internal audit professions global voice, recognized authority, acknowledged leader, chief
advocate, and principal educator.

About Supplemental Guidance


Supplemental Guidance is not part of The IIAs IPPF. It is reference
material that has been validated by The IIA as consistent with the
IPPF and useful to practitioners in their implementation of the IPPF
and the practice of internal auditing. Conformance with the reference
material is encouraged to the extent applicable to the practitioners
organization and the internal audit functions assurance and consulting
objectives. All such material requires full or partial IIA participation
in developing the content. This category is not intended to support or
promote material created by other organizations or individuals.
For other authoritative guidance materials provided by The IIA,
please visit our website at www.globaliia.org.

Disclaimer
The IIA publishes this document for informational and educational
purposes. This guidance material is not intended to provide definitive answers to specific individual circumstances and as such is only
intended to be used as a guide. The IIA recommends that you always
seek independent expert advice relating directly to any specific situation. The IIA accepts no responsibility for anyone placing sole reliance
on this guidance.

Copyright
Copyright 2012 The Institute of Internal Auditors. For permission
to reproduce, please contact The IIA at guidance@theiia.org.

global headquarters

T: +1-407-937-1111

247 Maitland Ave.

F: +1-407-937-1101

Altamonte Springs, FL 32701 USA

W: www.theiia.org

6/120900/mf/jp